While browsing your Facebook or Twitter timelines, you may have come across “sponsored ads” that seem too good to be true. Most can be spotted immediately and swiftly ignored; however, you may have been tagged in a post or received a message on your personal timeline posted by a friend, directing you to a killer sale. See figure 1 for an example.

Figure 1.

The example above shows an ad for Ray Ban, a popular sunglass retailer whose classic sunglasses range from $155 to $200, that looks as though it was shared by a regular user or even a friend on Facebook. The ad targets unsuspecting consumers looking to score the name brand sunglasses for up to 80% off.

Figure 2.

The idea here, like any scam, is to entice unknowing consumers to jump on the hot deals and “buy” the Ray Ban’s at such low prices. Once the links are clicked on, the consumer is redirected to what looks like a legitimate discount website that is offering deals with up to 80% savings on multiple styles, see Figure 2 and Figure 3 for examples.

Figure 3.

The phisher hopes that the deal is too good for the consumer to pass up and engages in purchasing the product. Here, the phisher is hoping the consumer will enter their personal data like first and last name, emails address, personal home address and credit card information, to then flip and sell to third parties.

It is always smart to use best practices when shopping online. Here are a few tips:

Do a bit of research and go directly to the name brand website to see what offers are on the official website

Look for plain websites as a warning, as they are quickly put together with minimal tabs and functionality

Look for poor grammar and misspellings; because these fake sites are so quickly put together, often times spell checking isn’t their highest priority

Barracuda Labs encourages – if you do get tagged in an ad like this or find it posted to your wall – immediately untag yourself and delete it from your wall so you can avoid letting your friends or family members fall victim to the scam as well.

For more resources on the Big Business of Spam, you can see previous posts here:

Launching a new Web app today comes with a few certainties, and one of them is, “I will be a target for hackers” for sure. So when an app as large and as high profile as Google+ launches, it will surely be one of the top targets for malicious activity. This happened to Facebook the more popular it grew and it still is a favorite platform for malicious activity. I did some analysis of the HTTP traffic between Google+ and the browser and found that Google is off to a good start in regards to browser security. Below are several take-aways:

Only SSL!
All Google+ traffic is sent over SSL and non SSL is not even an option. This protects users’ traffic from getting sniffed and their sessions from being hijacked. It is good to know that Google understands that sensitive information is being shared and SSL is really the only option for transmitting data.

There are a few headers in this response that are specific to browser security, for example:

Set-Cookie Secure – This tells the browser to only send cookies over a secure (SSL) connection. So if the site happens to hit a page that is not SSL, then the cookie will not be sent.

Set-Cookie HttpOnly – This prevents the cookie from being accessed by client side script.

Both of these cookie attributes help to prevent session hijacking by only sending cookies when appropriate.

X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The header instructs the browser not to override the response content type. For example, some browsers try to be smart by deciding for themselves if the content is really is text/html or an image. So with the nosniff option, if the server says the content is text/html, then the browser needs to render it as text/html.

X-Frame-Options: SAMEORIGIN – This tells the browser to only render frame pages from the URL hosting the main page. This prevents Clickjacking attacks against the user. Clickjacking is a browser-based attack that tricks the user into clicking on one thing but then performs a different action, such as following a user on Twitter.

X-XSS-Protection: 1; mode=block – This allows the browser to detect a cross site reflection attack. If the browser sees a potential reflection attack, it will prevent the page from rendering in the browser. Instead, you will see something similar to this depending on the browser:

What about Facebook?
While these preventions are by no means ground breaking or new, the fact that Google is thinking about and using them is a good step. In contrast, let’s look at a typical Facebook response:

It is surprising that Facebook has not taken the same simple precautions that Google+ has taken. Here, we can see the differences:

Secure Cookie

Nosniff

XSS Protection

X-Frame

HttpOnly Cookie

SSL

Google+

Yes

Yes

Yes

Sameorigin

Yes

Yes

Facebook

No

No

No

Deny

Yes

Optional and not default

In fact, just yesterday Microsoft’s Vulnerability Research team released advisory MSVR11-007: “Clickjacking Vulnerability in Facebook.com Could Allow Account Compromise”. According to the advisory, Facebook has resolved the issue. I did another check of the headers and still did not see any change to the response. It is possible that Facebook closed the hole on the server side with input validation in order to prevent the malicious data from entering their database, but they still did not implement the simple browser precautions that Google+ has. Here is the link to the official MSVR advisory:http://www.microsoft.com/technet/security/advisory/msvr11-007.mspx

Conclusion
Unfortunately, not all of these headers are supported in all browsers, meaning any of you still using IE6 won’t be able to take advantage of these headers. What’s this mean for you? Make sure you are using an up-to-date browser to take full advantage of these protections.

Do these security measures make Google+ impervious to malicious activities? Absolutely not. Is it a good start? Yes, it is. And further, it is good to see an app make its debut with security in mind. It actually gives us Infosec folks a bit of hope that developers are listening and doing the right thing.

Two weeks ago Facebook saw a wave of celebrity like-jacking attacks which Barracuda Labs detailed in a post describing their Open Graph underpinnings. Those attacks used teen celebrities as their bait – Justin Bieber and Miley Cyrus were prominent themes.

After a slight hiatus, the scammers are back with the same software but a different approach. They're targeting a tried and true Internet meme – T & A.

Clicking on one of these links in a friend feed takes you away from Facebook to another site. In the previous campaign, these throw-away sites were registered with names like girl-gets-caught.info or daddy-bustedonline.info, and the scam pages were formatted to look like YouTube videos.

Now that they've added more salacious come-ons, at least some of the pages are formatted to look like gossip sites.

Just as before, this Web page uses the Open Graph API to construct a large ‘like' button that appears to be a movie preview pane. Clicking on the preview pane does two things: it posts a ‘like' message to your own news feed and then serves up a set of scammy surveys and questionable product offerings under the guise of a ‘security check'.

If you click all the way through any of these offerings, the like-jack page creators are paid a fee. Entering personal information into any of these ‘surveys' is a great way to get on spam lists. Many of them solicit your cell phone number and then sign you up for unwanted premium SMS services which are placed on your cell phone bill each month.

Barracuda Networks recommends you exercise special care when visiting links posted in your friends' news feeds. Barracuda Web Filters and the Barracuda Web Filtering Service block access to these sites.

Earlier today Twitter was the target/medium of a large scale cross site scripting (XSS) spam/attack demonstration.

In the wee hours of the morning, Pearce Delphin, @zzap, discovered that when embedding a URL in a tweet, script code following an ‘@' character in the link was executed in the context of the page hosting the link, in this case twitter.com. Before long, Twitter was ablaze and as of this writing “onmouseover” is still a trending topic. Throughout the day, people were using the XSS for pranks (rickrolling) to demonstrate cookie theft, to redirect to porn sites, to push quite a bit of spam, and to deliver a few instances of sites hosting exploits.

Several high profile Twitter accounts were hit by the exploit (and in turn began exploiting people themselves) including Sarah Brown, wife of ex prime minister of the UK Gordon Brown, and the official account of the White House (@presssec).

Twitter has fixed the vulnerability, though we're seeing reports that the patch wasn't complete and only blocked that particular exploit instead of the vulnerability itself (an all too common problem). It is unfortunate that just a couple weeks after launching new features on the site that gave users more reasons to use twitter.com, this most recent example of XSS gives users a reason to second guess that and stick with clients for now.

In his first week on Twitter from July 28 to August 4, Kanye West sent 190 tweets. By the end of that first week, he reached 431,104 followers. We calculated the total amount of time that people spent reading @kanyewest tweets in one week. We estimated that each tweet took 3 seconds to read. We calculated how many people were following him at the time each tweet was sent. In total, 2,551,812 man minutes were spent reading @kanyewest tweets in one week. We then looked at what else could be done with that much time.

For the past year, we have released analysis on user behavior and malicious activity on Twitter. Just last week, Barracuda Labs released our 2010 Midyear Security Report that focuses on The Dark Side of Twitter and Search Engine Malware. On the same day, Kanye West joined Twitter. In March we explored the effect of celebrities joining Twitter in what we called the Twitter Red Carpet Era. We showed that during that six-month period, more than half of the top 100 users joined Twitter, causing a spike in overall usage and a subsequent spike in the Twitter Crime Rate (the number of accounts created and later suspended by Twitter because of suspicious or malicious use).

Kanye joined Twitter with a splash. First of all, he visited the Twitter offices that morning, but what’s more interesting is the rate at which he attracted followers. Since we have access to this data and machines constantly analyzing it, we decided to have a little fun. This week, Barracuda Labs will present a series of infographics that illustrate Kanye's first week on Twitter.

Today, we show the first view. The first question that we wanted to answer was what kind of people are attracted to follow Kanye? For example, do they follow other musicians or other types of people? We looked into several notable users to examine the overlap between Kanye's followers and their followers.

Let's review:

Taylor Swift: Taylor Swift and Kanye shared a moment on stage at last year's MTV Awards when he interrupted her speech. He has since apologized to her and she accepted. Their followers seem to have followed suit as a substantial amount of people follow both Kanye West and Taylor Swift. In fact, 20% of Kanye’s followers also follow Taylor Swift. By the way, Taylor Swift joined Twitter 20 months ago during the Red Carpet Era and has since attracted 3.8 million followers.

Amber Rose: Amber Rose and Kanye West dated for several years, frequently an item at photoshoots and fashion shows. They recently moved on; however, their followers still appreciate both of them. In Kanye's first week, more than half of Amber's followers already follow Kanye. Further, Kanye has seven times more followers than Amber who joined two months ago.

Power: Kanye's new song is called “Power” but let's compare him to the most powerful person on Earth: the President of the United States. Kanye was a vocal supporter of Obama during his campaign. More than 190,000 of Obama’s followers already follow Kanye, showing that over one-third of Kanye's followers also follow the President.

Perhaps Kanye's followers are into political leaders of all parties. How about Newt Gingrich? Less than 5,000 of Newt Gingrich’s followers have decided to follow Kanye. This means that less than 1% of Kanye’s followers also follow Newt.

Stay tuned for more analysis on Kanye's first week on Twitter – and on the overall Red Carpet effect. We think you’ll find the next few days very interesting… and possibly worth a Retweet of your own.

Meanwhile, follow us on Twitter at @barracudalabs for ongoing updates!

Our study shows that attackers have serious efforts devoted towards getting in front of the billions of eyeballs that are using search engines everyday and the millions of users that are connecting on social networks like Twitter. These research efforts allow us to continue to analyze their approaches and build new techniques to find them and protect users. Highlights of the study are below, and you can download the full report off the BarracudaLabs.com homepage.

Searching for Malware

We conducted a study across Bing, Google, Twitter and Yahoo! over a roughly two-month period. The analysis reviews more than 25,000 trending topics and nearly 5.5 million search results. The purpose of the study was to analyze trending topics on popular search engines to understand the scope of the problem and to identify the types of topics used by malware distributors. Key highlights:

Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.

The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!

Over half of the discovered malware had originated between the hours of 4:00 a.m. and 10:00 a.m. GMT.

The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

The Dark Side of Twitter

As part of an ongoing study to data we released in June 2009 and subsequently in March 2010, we analyzed more than 25 million Twitter accounts, both legitimate and malicious. The purpose of this part of the study was to measure and analyze account behavior on Twitter in order to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users1, Twitter Crime Rate2, and Tweet Number3. Key highlights:

In general, activity is increasing on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.

Only 28.87 percent of Twitter users are actual True Twitter Users.

Half of Twitter users tweet less than once a day, yet one in 10 users tweet five or more times a day and 30 percent of Twitter accounts have never tweeted.

One in every eight Twitter users has at least 10 times more followers than they are following.

Only one in 10 users is following more than 100 users, and almost half are following less than five.

The Twitter Crime Rate for the first half of 2010 was 1.67 percent.

We are presenting the findings of both studies, as well as other Barracuda Labs work, at Security BSides Las Vegas and DefCON 18 this week in Las Vegas. Come see us!